rancher · LucasSaintarbor · Nov 19, 2025 · Nov 20, 2025
@@ -58,3 +58,7 @@ if the user has not yet logged in to Rancher. However, if the user has previousl
 ### You are not redirected to your authentication provider
 
 If you fill out the **Configure an Amazon Cognito account** form and click on **Enable**, and you are not redirected to Amazon Cognito, verify your Amazon Cognito configuration.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />
@@ -108,3 +108,7 @@ If the `Issuer` and `Auth Endpoint` are generated incorrectly, open the **Config
 ### Error: "Invalid grant_type"
 
 In some cases, the "Invalid grant_type" error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />
@@ -203,3 +203,7 @@ To resolve this, you can either:
     3. Save your changes.
 
 2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />
@@ -0,0 +1,33 @@
+Rancher supports the ability to configure OIDC Single Logout (SLO). Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options.
+
+### Prerequisites
+
+Before configuring OIDC SLO, ensure the following is set up on your IdP:
+
+- **SLO Support**: The **Log Out behavior** configuration section only appears if your OIDC IdP allows for `OIDC SLO`.
+- **Post-Logout Redirect URI**: Your Rancher Server URL must be configured as an authorized post-logout redirect URI in your IdP's OIDC client settings. This URL is used by the IdP to redirect a user back to Rancher after a successful external logout.
+
+### OIDC SLO Configuration
+
+Configure the SLO settings when setting up or editing your OIDC authentication provider.
+
+1. Sign in to Rancher using a standard user or an administrator role.
+1. In the top left corner, select **☰** > **Users & Authentication**.
+1. In the left navigation menu, select **Auth Provider**.
+1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below:
+
+    | Setting                   | Description                                                                   |
+    | ------------------------- | ----------------------------------------------------------------------------- |
+    | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. |
+    | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. |
+    | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. |
+
+1. If you choose to log out of your IdP, provide an [**End Session Endpoint**](#how-to-get-the-end-session-endpoint). Rancher uses this URL to initiate the external logout.
+
+#### How to get the End Session Endpoint
+
+The `end_session_endpoint` is one of the specific URLs published within a standardized JSON object containing the IdP's metadata and is retrieved from the OIDC Discovery URL. To get the `end_session_endpoint` from the OIDC Discovery URL, follow these steps:
+
+1. Obtain the Discovery URL by appending the IdP Issuer URL with the well-known path (`.well-known/openid-configuration`).
+1. Send an HTTP `GET` request to the Discovery URL.
+1. In the JSON object, look for the key named `end_session_endpoint`.
@@ -12,6 +12,7 @@ import DeprecationWeave from '/shared-files/_deprecation-weave.md';
 import DeprecationHelm2 from '/shared-files/_deprecation-helm2.md';
 import DockerSupportWarning from '/shared-files/_docker-support-warning.md';
 import ConfigureSLO from '/shared-files/_configure-slo.md';
+import ConfigureSLOOidc from '/shared-files/_configure-slo-oidc.md';
 import EOLRKE1Warning from '/shared-files/_eol-rke1-warning.md';
 import PermissionsWarning from '/shared-files/_permissions-warning.md';
 
@@ -27,6 +28,7 @@ export default {
 
   CNIPopularityTable,
   ConfigureSLO,
+  ConfigureSLOOidc,
   DeprecationOPAGatekeeper,
   DeprecationWeave,
   DeprecationHelm2,

@@ -58,3 +58,7 @@ if the user has not yet logged in to Rancher. However, if the user has previousl
 ### You are not redirected to your authentication provider
 
 If you fill out the **Configure an Amazon Cognito account** form and click on **Enable**, and you are not redirected to Amazon Cognito, verify your Amazon Cognito configuration.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />
@@ -108,3 +108,7 @@ If the `Issuer` and `Auth Endpoint` are generated incorrectly, open the **Config
 ### Error: "Invalid grant_type"
 
 In some cases, the "Invalid grant_type" error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />
@@ -203,3 +203,7 @@ To resolve this, you can either:
     3. Save your changes.
 
 2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
+
+## Configuring OIDC Single Logout (SLO)
+
+<ConfigureSLOOidc />